grokdesigns/auth-basic.conf

## auth-basic.conf
auth_basic              "Restricted Area";
auth_basic_user_file    htpasswd;

## proxy.conf
proxy_connect_timeout   59s;
proxy_send_timeout      600;
proxy_read_timeout      600;
proxy_buffer_size       64k;
proxy_buffers           16 32k;
proxy_pass_header       Set-Cookie;
proxy_hide_header       Vary;

proxy_busy_buffers_size         64k;
proxy_temp_file_write_size      64k;

proxy_set_header        Accept-Encoding         '';
proxy_ignore_headers    Cache-Control           Expires;
proxy_set_header        Referer                 $http_referer;
proxy_set_header        Host                    $host;
proxy_set_header        Cookie                  $http_cookie;
proxy_set_header        X-Real-IP               $remote_addr;
proxy_set_header        X-Forwarded-Host        $host;
proxy_set_header        X-Forwarded-Server      $host;
proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;

proxy_set_header        X-Forwarded-Port        '443';
proxy_set_header        X-Forwarded-Ssl         on;
proxy_set_header        X-Forwarded-Proto       https;
proxy_set_header        Authorization           '';

proxy_redirect         http://*SUBDOMAIN*/ /;
proxy_redirect         https://*SUBDOMAIN*/ /;

## ssl.conf
ssl on;
ssl_certificate /etc/ssl/certs/*KEYNAME*.cer;
ssl_certificate_key /etc/ssl/private/*KEYNAME*.key;

# Perfect forward secrecy
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !$

# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

## subdomain.conf
server {
    listen 443;
    server_name *SUBDOMAIN*;

    access_log /var/log/nginx/*SUBDOMAIN*.access.log;
    error_log /var/log/nginx/*SUBDOMAIN*.error.log;

    root   /usr/share/nginx/*SUBDOMAIN*;
    index  index.html index.htm;

    include ssl.conf;

    location / {
      proxy_pass http://*INTERNALADDRESS*:PORT/;
      include proxy.conf;
      include auth-basic.conf;
    }
}
	proxy_connect_timeout 59s;
	proxy_send_timeout 600;
	proxy_read_timeout 600;
	proxy_buffer_size 64k;
	proxy_buffers 16 32k;
	proxy_pass_header Set-Cookie;
	proxy_hide_header Vary;

	proxy_busy_buffers_size 64k;
	proxy_temp_file_write_size 64k;

	proxy_set_header Accept-Encoding '';
	proxy_ignore_headers Cache-Control Expires;
	proxy_set_header Referer $http_referer;
	proxy_set_header Host $host;
	proxy_set_header Cookie $http_cookie;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_set_header X-Forwarded-Port '443';
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header Authorization '';

	proxy_redirect http://SUBDOMAIN/ /;
	proxy_redirect https://SUBDOMAIN/ /;
	ssl on;
	ssl_certificate /etc/ssl/certs/KEYNAME.cer;
	ssl_certificate_key /etc/ssl/private/KEYNAME.key;

	# Perfect forward secrecy
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !$

	# HSTS
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	server {
	listen 443;
	server_name SUBDOMAIN;

	access_log /var/log/nginx/SUBDOMAIN.access.log;
	error_log /var/log/nginx/SUBDOMAIN.error.log;

	root /usr/share/nginx/SUBDOMAIN;
	index index.html index.htm;

	include ssl.conf;

	location / {
	proxy_pass http://INTERNALADDRESS:PORT/;
	include proxy.conf;
	include auth-basic.conf;
	}
	}